For a good few weeks we’ve been watching the pharmaceutical and wrist-watch spammers using name server host names in the style “ns1.ns1.some-domain.tld.” (normally they are ns1.domain.tld, a simple hostname without the subdomains). This is a pretty unusual thing to do and we can only presume the spammers have their own devious or misguided reasons for doing so. The domains registered against these name servers also exhibit another interesting feature, they are registered with the name servers in an invalid (or at least very unusual) way, and furthermore these domains fail in whole bunch of other simple test cases that are not found in clean sites. With streaming updates we are able to protect against these campaigns, often ahead of the spam campaigns starting.